pytsk3 issues

[christoftaylor]

On a relatively fresh download of SIFT3, ran update-sift and it started generating errors. Everything from mantaray down failed to install. Any package I tried to apt-get after that failed to install. After some frustration and a lot of removing and installing of various packages, it appears the problem is mantaray tries to install pytsk3_4.2.0-20150406 which fails because there is also a pytsk3_4.2.0-20150325 available, then every attempt to install anything after that ends with apt-get telling me to run 'apt-get -f install'.

Errors look something like this: (trimmed to just the important lines)

...
Unpacking pytsk3 (4.2.0-20150406-1ppa1~trusty) ...
dpkg: error processing archive /var/cache/apt/archives/pytsk3_4.2.0-20150406-1ppa1~trusty_amd64.deb (--unpack):
 trying to overwrite '/usr/lib/python2.7/dist-packages/pytsk3.so', which is also in package python-pytsk3 20160325-1ppa1~trusty
...
Errors were encountered while processing:
 /var/cache/apt/archives/pytsk3_4.2.0-20150406-1ppa1~trusty_amd64.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)

...

Would somebody mind verifying, is this just me. What do I need to do to get pytsk3 to play well with others?

[ekristen]

I just had my test vm run through the update process a few times and had no issues.

The VM is pretty old, I'll have to test using the VM.

[sygmus]

I downloaded SIFT ova today. Most packages updated with update-sift. Exceptions:

• mantaray failed (100) - went to mantaray website (http://mantarayforensics.com/) and it appears that there are issues there - get a splash screen telling the owner of the site to contact tech support - so either broken, out of business, non-payment, or other misfortune has apparently befallen the mantaray forensics team.
• docker-engine failed (100) - installed manually as per here: https://docs.docker.com/engine/installation/ passed "hello world test", but not the bash test - so maybe OK???
• elasticsearch failed (100) - installed manually as per: https://github.com/sans-dfir/sift/issues/51 NOTE added comment by me at bottom - json example has been moved
• plaso failed - installed by elasticsearch script noted above. Maybe OK?? :::hope this helps!

[sygmus]

oops - #51 above should be: https://github.com/sans-dfir/sift/issues/51

[sygmus]

...editor is making me mad.... #51 should be: https: //github.com/sans-dfir/sift/issues / 51 (remove the spaces in URL...)

[christoftaylor]

mantaray was a ManTech product. Not sure if they actively maintain it. Unfortunately, all my contacts within that team have moved on, so I’m not sure who to notify.

I’m sorry I didn’t provide this feedback earlier, I totally just spaced and forgot this was still sitting open.

I was seeing mantaray and a some others (but I don’t remember if it was this exact list) fail because pytsk3 was failing and was a dependency. Once I fixed pytsk3, they installed ok.

pytsk3 was failing because apt-get was to install two different versions of pytsk3. It would basically fail with a note about files already existing, even though didn’t already exist prior to trying to install. To get around that, I downloaded the package for the most recent version and installed with a --force option so it would overwrite the file it was complaining about.

Hope that helps. Thanks!

On Jun 28, 2016, at 15:45, sygmus notifications@github.com wrote:

I downloaded SIFT ova today. Most packages updated with update-sift. Exceptions:

mantaray failed (100) - went to mantaray website (http://mantarayforensics.com/ http://mantarayforensics.com/) and it appears that there are issues there - get a splash screen telling the owner of the site to contact tech support - so either broken, out of business, non-payment, or other misfortune has apparently befallen the mantaray forensics team. docker-engine failed (100) - installed manually as per here: https://docs.docker.com/engine/installation/ https://docs.docker.com/engine/installation/ passed "hello world test", but not the bash test - so maybe OK??? elasticsearch failed (100) - installed manually as per: #51 https://github.com/sans-dfir/sift/issues/51 NOTE added comment by me at bottom - json example has been moved plaso failed - installed by elasticsearch script noted above. Maybe OK?? :::hope this helps! — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/sans-dfir/sift/issues/110#issuecomment-229206934, or mute the thread https://github.com/notifications/unsubscribe/ASzMOqJhvGgoYCPvlojH9gKyjHkwv2hnks5qQaQOgaJpZM4Isu58.

[DigiAngel]

Count me in with this:

Preparing to unpack .../python-pytsk3_20160721-1ppa1~trusty_amd64.deb ...
Unpacking python-pytsk3 (20160721-1ppa1~trusty) ...
dpkg: error processing archive /var/cache/apt/archives/python-pytsk3_20160721-1ppa1~trusty_amd64.deb (--unpack):
 trying to overwrite '/usr/lib/python2.7/dist-packages/pytsk3.so', which is also in package pytsk3 4.2.0-20150406-1ppa1~trusty
dpkg-deb: error: subprocess paste was killed by signal (Broken pipe)

This is with a fairly updated VM that I snapshotted before hand. This has remnux as well. Anything else I can provide?

[DigiAngel]

Any movement on this? I am unable to update until this is resolved..thank you...I can test at any time since I have a before and after snapshot.

[ekristen]

I can't duplicate. Every instance of the SIFT workstation I have and then installing from scratch does not run into a problem installing pytsk3.

Do you have other things on your workstation? remnux? dff? etc?

[DigiAngel]

Yes, this does have Remnux...thank it's a gig on Lenny?

[ekristen]

You are running on lenny?

Well SIFT is only supported by itself and on Trusty, working on supporting Xenial. Anything outside of that isn't supported.

At this time remunx + SIFT isn't supported because there are too many conflicts. I'd like them to be compatible, but the way remnux installs things conflicts with SIFT unfortunately. See https://github.com/sans-dfir/sift/issues/112

[DigiAngel]

LoL...I mean Lenny Zeltser...;) This is Ubuntu Trusty.

[DigiAngel]

Ok cool...looks like I'm going to need to figure out how to fix this going forward as I have several SIFT+Remnux machines :(

[ekristen]

Oh haha, sorry missed it. I've been focused on getting support on Xenial (16.04) up and going.

Did you just install remnux + sift? In which order? Installing side by side with remnux is on the todo list, but first and foremost need sift to work on its own for the SANS classes.

[DigiAngel]

I followed this on the SANS site, Sift then Remnux:

https://digital-forensics.sans.org/blog/2015/06/13/how-to-install-sift-workstation-and-remnux-on-the-same-forensics-system

No issues for a long time..first one is this one really.

[DigiAngel]

Opened:

https://github.com/REMnux/distro/issues/9

For Lenny to take a look at as well.

[knutern007]

Ran into the same problem with mantaray and pytsk3, both returning error code 100. Attempted to install manually:

apt-get install mantaray Reading package lists... Done Building dependency tree... 50% Building dependency tree
Reading state information... Done Some packages could not be installed. This may mean that you have requested an impossible situation or if you are using the unstable distribution that some required packages have not yet been created or been moved out of Incoming. The following information may help to resolve the situation:

The following packages have unmet dependencies: mantaray : Depends: pytsk3 but it is not installable E: Unable to correct problems, you have held broken packages.

apt-get install pytsk3 Reading package lists... Done Building dependency tree
Reading state information... Done Package pytsk3 is not available, but is referred to by another package. This may mean that the package is missing, has been obsoleted, or is only available from another source

E: Package 'pytsk3' has no installation candidate

[ekristen]

See https://github.com/sans-dfir/sift/issues/106#issuecomment-251566412, steps 2-4

[imifos]

(Just as note: I had the same problem and the above comment (2-4) fixed that for me. log2timeline and plaso still are working fine). Thank you!

[elhoim]

Steps 2-4 as mentioned by @ekristen also worked for me with a fresh appliance download without remnux install.

[arrigo]

Should anyone be interested I patched the debian/control file from the Mantaray v1.4.1 GitHub tree so that it works correctly with the latest SIFT3 (tested 9MAR2017).

You can grab the patched version mantaray_1.3.92-ubuntu03_amd64.deb from my website.

Installation notes:

1) dpkg -i mantaray_1.3.92-ubuntu03_amd64.deb 2) apt-mark hold mantaray 3) aptitude upgrade to install the dependencies which it complains about in 1)

You must run the "hold" step or it will try to fetch the updates from the mantaray repository (if you installed it) where the 1.3.92 version has broken dependencies.

(P.S. ex- certified SANS instructor for the offensive tracks so caveat emptor ...)

[arrigo]

The fix required, if you want to do it yourself, is:

1) download Mantaray v1.4.1 from GitHub (I assume you know how to do that) and check out v1.4.1, 2) cd mantaray/debian 3) vi control # edit the Depends: line to read like below...

Depends: python-tk, python3-tk, python3.4, python2.7, bulk-extractor, log2timeline-perl, regripper, libevt, libevt-tools, libevtx, libevtx-tools, libewf, dos2unix, liblightgrep, libolecf, libolecf-tools, libregf, libregf-tools, libvshadow, libvshadow-tools, python-plaso, sleuthkit, python-volatility, cryptsetup, e2fslibs-dev, extundelete, kdiff3, libxml2-dev, libfuse-dev, libfvde, libfvde-tools, zenity, fuse-emulator-utils, tofrodos, mac-robber, ent, libssl-dev, openjdk-6-jdk, fdupes, dconf-tools, afuse, liblightgrep, flex, windows-perl, foremost, libewf-tools, python3-pytsk3

4) install the Debian build stuff (apt-get install debhelper is the only bit required on a SIFT3 installation) 5) cd mantaray && dpkg-buildpackage 6) cd .. # and you will find what you seek